The Privacy & E-comms regulations - a legal FAQ

The
Privacy & Electronic Communications regulations came into force on 11th
December 2003. The Government was required to make these regulations in
order to comply with an EC Directive on the subject. These regulations
add to and do not replace existing legal requirements.

Minor
amendments were made to correct a couple of errors in 2004;and significant changes were made in 2011.

An
annotated copy of the regulations showing them in their current amended state
(as of 25-5-11) can be found here.

These
regulations may be regarded as sweeping up a variety of points which many would
regard as necessary, to take account of relatively recent technological
developments. I intend in this FAQ to summarise the key points relating
to email and the internet; there are other provisions relating to phone
and fax, which are outside the scope of this FAQ.

Definitions
(reg 2):

"location data" means any data processed in an
electronic communications network indicating the geographical position of the
terminal equipment of a user of a public electronic communications service,
including data relating to -
(a) the latitude, longitude or altitude of the terminal equipment;
(b) the direction of travel of the user; or
(c) the time the location information was recorded

‘public electronic communications network’ means an
electronic communications network provided wholly or mainly for the purpose of
making electronic communications services available to members of the public”
– in this FAQ I refer to this as a PECN – the internet may
generally be thought of as a PECN

‘public electronic communications service’ means any
electronic communications service that is provided so as to be available for
use by members of the public - in this FAQ I refer to this as a PECS – a
website may generally be thought of as a PECS

‘subscriber’ means a party to a contract with a provider of
a PECS

"traffic data" means any data processed for the
purpose of the conveyance of a communication on an electronic communications
network or for the billing in respect of that communication and includes data
relating to the routing, duration or time of a communication

‘user’ means an individual using a PECS

Security
(reg 5):

A service provider (ie a provider of a PECS) must take
appropriate measures to safeguard the security of that service, if necessary in
conjunction with the provider of the PECN.The 2011 regulations extend this and impose minimum requirements in the
case of personal data, and give the Information Commissioner powers to audit
and to impose penalties for breach.

‘appropriate’ means having regard to cost, and the state of
technological developments

If notwithstanding such measures there remain significant
risk to the security of the PECS, subscribers must be told (without charge)

ØThe nature of the risk

ØThe appropriate measures that the subscriber may take to safeguard
against that risk

ØThe likely costs to the subscriber of taking such measures

Confidentiality
and cookies (reg 6)

This regulation was substantially amended in 2011.The requirement now is:

Information (‘cookies’) must not be stored on the terminal
of a subscriber or user without first obtaining consent from the
subscriber or user which is prior, express, and informed,

Such consent only needs to be obtained once in respect of
the same cookie used for the same purpose.

Whilst the regulation contains provision for consent to be
obtained via browser settings, the
guidance makes clear that at the present time, browser technology is not
sufficient to rely on this provision.

This restriction does not apply where the storage / access
is for the sole purpose of carrying out or facilitating the transmission of a
communication, or where the storage / access is strictly necessary for
the provision of a service requested by the subscriber or user;we suggest it would be advisable to interpret
‘strictly necessary’ objectively, perhaps as ‘strictly and technically necessary’.

Traffic
data (reg 7 & 8)

Traffic data must be erased (or modified so that they cannot
identify the subscriber or user) when no longer required for the purposes of
transmitting a communication

Such data required for billing purposes may be retained for
so long as required for that purpose, provided that the subscriber or user has
been provided with information regarding the types of traffic data that are to
be processed and the duration of processing

Such data may be processed and stored if

ØRequired for marketing or value added services in relation
to that subscriber / user, AND

Øthat subscriber / user has consented, AND

Øthe processing an storage is for no longer than necessary
for the purpose of marketing or value added services in relation to that
subscriber / user, AND

Øthe subscriber or user has been provided with information
regarding the types of traffic data that are to be processed and the duration
of processing BEFORE consent was obtained.

Such data may only be processed for

Ømanagement or billing of traffic

Øcustomer enquiries

Øfraud prevention or detection

Ømarketing of electronic communications services

Øprovision of a value added servcie

Location
Data (reg 14)

[Location data may be considered to include reference to
tracking of IP addresses.]

Location data (excluding traffic data) may only be processed

Øwhere the user or subscriber cannot be identified, or

Øwhere necessary for the provision of a value added service
AND with the consent of that user or subscriber

Before giving consent a user or subscriber must be told

Øtypes of location data that will be processed

Øpurpose and duration of processing

Øwhether the data will be transmitted to a third party for the
purpose of providing the value added service

Consent can be withdrawn at any time, and must be given a
simple and free of charge means of doing so every time (s)he connects.

Processing may only be carried out by or on behalf of the
service provider or value added service provider, and (where for providing a
value added service) must be restricted to that purpose.

Spam
(regs 22 & 23)

[Spam for direct marketing allowable if ‘opt in’ only]

Unsolicited email for the purposes of direct marketing is
prohibited unless the recipient has previously notified the sender that he
consents to such communications being sent by the sender.

Direct marketing email may be sent where

Øsender has obtained contact details in the course of
negotiations for a sale to the recipient, AND

Øthe direct marketing is in respect of that or similar
products / services, AND

Øthe recipient is given a simple and free means of refusing
when the details were first collected, and (if (s)he consented then) at the time
of each subsequent communication.

Email for the purposes of direct marketing is prohibited

Øwhere the sender’s identity is disguised or concealed, or

Øwhere a valid address to which the
recipient may send a request that communications cease is not provided

Disclaimer of liability:

The information on these
pages is provided free and for information only, and is provided 'as is'.
Whilst believed to be correct, it is in no way comprehensive. It is provided
for your interest only and is not intended to be relied on as formal legal
advice. The posting of information on these pages is not intended to create a
lawyer-client relationship, and you should not act or rely on this information
without seeking professional advice. No liability is accepted therefore for any
errors, or for any losses that may be incurred if it is relied on.

Copyright details:

You may read these pages
on-line, and download them to read later, for your own personal use.
This copyright notice must appear on every page that you print from here.
You must not redistribute these pages or any part of them in any form or medium
without first obtaining my consent.
You are welcome to set up links to this website from others.